The speed and agility of the cloud is lost—dev must request environment changes from IT again.
Use the F5 Application Connector to automatically update the BIG-IP.
In the last post, we showed how to get the stability and security of hosting BIG-IPs in the same data center as cloud servers (aka Cloud Interconnect). While this is a great solution, it re-created the problem of the dev team filing tickets with IT in order to move application servers to production.
Enter the Application Connector from F5. With the Application Connector, any time you create or delete an application server in the cloud, the BIG-IPs automatically know about it, and update their configuration accordingly. And though the example below is talking about AWS, the application connector can be used in multiple clouds, helping prevent lock-in to any one cloud.
The Application Connector is made up of two components:
The Application Connector Proxy, which is delivered as a Docker container that's deployed in a cloud environment
The Application Connector Service Center, which is deployed as an iAppsLX package on the BIG-IPs
The Application Connector Proxy establishes an outbound connection to the BIG-IPs, using a secure TLS tunnel to encrypt traffic between the cloud app servers and BIG-IPs.
In our example, we're showing the Application Connector in conjuction with Cloud Interconnect, but your BIG-IPs can be physical or virtual (aka BIG-IP VEs), and can be on-premise or in a remote location.
Auto-discovery of nodes
As we said, after some initial configuration, the BIG-IPs are automatically updated with the latest nodes.
In AWS, nodes are discovered and published automatically, and as of June, 2017, similar functionality is also planned for Azure and Google. With these functions, you eliminate the need for manual updates to the BIG-IP; developers no longer have to contact IT every time they add/remove cloud servers.
In the following example, DevOps has chosen to disable two nodes in the Application Connector Proxy.
This change is then reflected in the Application Connector Service Center as well. The Application Connector Service Center lets NetOps/SecOps access a full list of nodes and their statuses, no matter which cloud they are in.
You can choose to disable automatic publishing to the BIG-IP, thus giving you the power to select which nodes you would like the BIG-IP to see.
Scale out to other clouds
You can now use multiple clouds and have BIG-IP automatically updated with all the nodes.
Even if your IP address ranges overlap across multiple clouds, Application Connector handles it without issue.
When you use the Application Connector, no public IP addresses need to be directly associated with the application servers. Because of this, the apps are hidden from clients and bad actors.
Another security benefit it centralized encryption. Encryption keys no longer need to be stored in the cloud next to the application servers, but instead are stored on the BIG-IPs and can be shared across multiple clouds.
Consistent Services & Policies
When you're using the Application Connector, services configuration like load balancing, WAF, traffic manipulation, and authentication, as well as the policies that go with them, are all centrally managed on the BIG-IP by NetOps/SecOps/IT.
After the initial configuration of the Application Connector, no management or maintenance is necessary. It’s simpler than maintaining a VPN tunnel and it’s small—you don’t have to worry about it taking up too many resources. DevOps no longer has to request changes whenever they add/remove app servers. They can update the Application Connector proxy any time they choose.